The most notable ransomware-as-a-service (RaaS) groups are well-known for the widely publicized attacks they conduct, even outside of the cybersecurity community. However, there also exist smaller, very short-lived groups that use ransomware derived from existing variants. They’re often considered “unsophisticated” threat groups, and may be taken less seriously than that by a higher-level organization. How you deal with each type is important.
The first step, though, is to define the terms. Ransomware has many aspects to it, including:
This article will break down some of differences between sophisticated and unsophisticated threat actors in these categories.
RaaS is familiar topic by now, and these groups’ power in letting aspiring threat actors execute ransomware attacks with little technical expertise is well known. But smaller ransomware groups exist that do not operate as a RaaS. Some may be operated by a single threat actor or small group of actors, and may be extremely short-lived.
A brief look through BleepingComputer’s The Week in Ransomware series shows how numerous these transient variants are. In many cases, we’ll likely never hear about a publicly disclosed ransomware attack from these threat actors.
This is in large part due to the fact that while RaaS tends to be well-resourced in terms of finances and team members, these groups likely are not. This lack of sophistication is also observable in the quality of their tools, how they conduct attacks, and how they seek to secure payment.
In addition, state-sponsored groups will sometimes use tools created by ransomware groups. For example, after OFAC sanctioned EvilCorp in 2019, UNC2165 shifted to using LockBit to continue receiving payments.
Prior to dropping the final ransomware payload, threat actors will often perform some combination of moving laterally in the network, establishing a persistence mechanism, escalating privileges, and identifying data of interest.
Here, threat actors—both those deploying ransomware and state-sponsored—often use openly available tools, living-off-the-land (LotL) techniques, or tools purchased on the dark web in their attacks.
The benefit of using these kinds of tools is two-fold: they are easy for actors to acquire and use without the need to create their own, and some of them blend in with normal system administrator behavior, making them challenging to detect.
Here, the true stratification between a more sophisticated threat actor and a less sophisticated one is much harder to understand without studying large volumes of endpoint data from real attacks, which is often kept very general in open sources.
What we would likely find is that there are a wide variety of tools threat actors use, and likely significant overlap between both groups, especially with respect to tools like PowerShell scripts, Cobalt Strike, BloodHound, ADFind or Mimikatz.
However, the least sophisticated threat actors—those with little experience or expertise—may just drop the ransomware and not even engage in this step of an attack.
One defining feature of ransomware groups is the specific payload they use to encrypt victims’ computers. This is where a lot of group-specific attributes are most noticeable, particularly in the verbiage of the ransom note and the specific tooling.
Here, groups have three main options for creating their ransomware payload:
In the case of Conti, an insider leaked source code, allowing easy access to highly effective ransomware. Additionally, groups such as ALPHV, and the now-disbanded REvil and BlackMatter, had developers who wrote the ransomware, then made feature additions and bug fixes as needed.
While these groups will occasionally bring developers or code from a previous operation to a new one, in general, the code is largely specific to the group and requires a level of technical sophistication to create.
As we saw with the Thanos Builder in particular, additional variants such as Prometheus, Haron, Spook and Midas emerged, indicating that some threat actors likely used Thanos as a starting point and modified its source code to create their new ransomware variants. It’s likely that threat actors using a ransomware builder, either out-of-the-box or with small modifications to its code, are less technically sophisticated than those writing their own code.
Among the most prolific ransomware are variants of Dharma (or Crysis, or Phobos) ransomware, partially due to the availability of its source code to threat actors who can modify it.
The last step of any successful ransomware attack typically involves extorting the victim into paying up. Many RaaS groups have well-known leak sites, where they threaten to leak stolen files if the ransom is not paid, but they’ve also branched out into contacting customers or suppliers of victim companies or executing DDoS attacks to increase the pressure to pay. One notorious gang, ALPHV, has expanded on the idea of a leak site, creating a search portal for victims to identify stolen data.
While some less sophisticated groups like Vice Society engage in the “double extortion” of victims, some smaller groups will not even engage in that, let alone the more extensive extortion tactics. RaaS groups, in contrast, generally provide information to the victim on how to access their chat portal accessible via Tor to negotiate, and will most likely demand payment in Bitcoin.
So what could an unsophisticated payment scheme look like? Some considerably less sophisticated groups are demanding payments in other currencies. For example, threat actors associated with WannaFriendMe ransomware required payment in the form of Robux, currency associated with the Roblox game.
Another ransomware family, Xrom, provides an email address for victims to contact to negotiate; yet another, Helphack, defines a (relatively low) pre-set amount for the ransom, as well as providing an email address.
As with most ransomware, defending against either “sophisticated” or “unsophisticated” ransomware is best done before the actual tools are dropped.
Since there is likely a lot of overlap in the TTPs employed by ransomware threat actors of all kinds prior to the dropping of the final payload, prioritizing detections for the most common and powerful tools, especially those highlighted in this article, is beneficial. However, with the number of unsophisticated ransomware actors using ransomware builders, or variants of the same core code, there are opportunities for implementing detection for the overlap between the variants.
While this won’t help with detecting the new tools used by threat actors with a high level of technical expertise, it certainly helps with those used by less technically-versed threat actors. As a result, personnel and resources can be prioritized toward higher-value tasks.